Malicious Version of Popular Mobile Game Pokemon Go App Spotted

There’s something about the mobile market that keeps it strong—with more and more games making their way to App Store and Google Play. However, the growth of mobile games makes them an ideal attack vector for cybercriminals as well. Recently, Pokemon Go, the newly released augmented reality mobile game excited fans all over the globe. Unfortunately, cybercriminals were quick to take advantage of the hype. A modified version of the Pokemon Go app has been found, packing a malicious remote access trojan (RAT) named DroidJack (identified by Trend Micro as AndroidOS_SANRAT.A). The malicious app is available on third party file-sharing sites, and was uploaded on July 7—less than 72 hours after the game was officially released in the US, Australia, and New Zealand.

The targets of the malicious app does not include users in the US, Australia, and New Zealand but rather users who are rushing to side-load the app before it was officially released in their region. This RAT that comes from unofficial portals could virtually give an attacker full control over a victim’s phone. The malicious app is capable of obtaining all necessary permissions for an Android device’s main functions, including accessing, modifying, and executing calls, SMS, phonebook, camera, audio recorder, as well as enable or disable Wi-Fi connectivity.

Media outlets reportedly offered instructions on how to download the game from third party services, including how to install the APK (Android application package) resulting in a massive server overload. The frenzy prompted people to pass around the APK files so that people living in locations where Pokemon Go isn’t available could side-load it.

The app also requires full Gmail account access, which means that Pokemon Go and Niantic, the developer, has permission to read emails and access all Google drive content among other things. It appears that if users signed up with their Google account, they might not be fully aware about the app’s “full account access”, a risk isolated to iOS devices. Based on further analysis, the Pokemon app didn’t explicitly ask for permission for full account access when logging in with Google credentials. According to an update by Niantic however, it didn’t read emails, and the “full account access” given to its iOS app will be scaled back by Google. “Pokemon Go only accesses basic Google profile information (specifically your user ID and email address) and no other Google account information is or has been accessed or collected”, says Niantic.

While there have been no reports of players being affected by the malicious app yet, users are still advised to be wary of apps downloaded from unofficial third party stores. The infected APK version of Pokemon Go show no telltale signs unless the player checks the app’s permissions and compares them with the official app’s permissions.

To be safe, it is still best to wait and download only from legitimate app stores. It is also important to be aware of what the app is allowed to access, and to understand the risks before accepting any terms or granting certain permissions to apps.

2017 ANNUAL SECURITY ROUNDUP

2018 SECURITY PREDICTIONS

Today's increasingly interconnected environments pave the way for threats that will bank on systems' weaknesses for different forms of cybercrime. How can you prepare for the year ahead?View the 2018 Security Predictions